CVE-2024-34102 is a critical security vulnerability that affects versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier of Adobe Commerce and Magento Open Source. This flaw is classified as an Improperly Restricted XML External Entity (XXE) vulnerability. With a CVSS score of 9.8, it carries severe impact.
Technical Details
The vulnerability arises due to improper handling of XML external entity references in the affected versions. An attacker can exploit this vulnerability by sending a specially crafted XML document that references external entities. This can lead to arbitrary code execution on the server without any user interaction, which significantly increases the risk profile of this flaw.
Impact
When the CVE-2024-34102 attack is successful, it can result in:
- Arbitrary code execution
- Data exposure
- Potential full system exposure
Given its critical nature, this vulnerability poses a significant risk to e-commerce platforms using the affected versions of Adobe Commerce and Magento.
Affected Versions
The following versions are vulnerable:
- Adobe Commerce 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier.
Mitigation
To mitigate this vulnerability, it is crucial to update to the patched versions:
- Adobe Commerce 2.4.6-p6
- Adobe Commerce 2.4.5-p8
- Adobe Commerce 2.4.4-p9
Regular updates and patches are essential to protect systems from such vulnerabilities. There is no known workaround other than applying the necessary patches.